From nobody Thu Sep 08 00:31:20 2022
X-Original-To: freebsd-python@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MNKmt68RRz4bYjd
	for <freebsd-python@mlmmj.nyi.freebsd.org>; Thu,  8 Sep 2022 00:31:26 +0000 (UTC)
	(envelope-from koobs.freebsd@gmail.com)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MNKms6vRVz3qW7;
	Thu,  8 Sep 2022 00:31:25 +0000 (UTC)
	(envelope-from koobs.freebsd@gmail.com)
Received: by mail-pl1-x636.google.com with SMTP id jm11so16159262plb.13;
        Wed, 07 Sep 2022 17:31:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:subject:from:to:content-language:reply-to
         :user-agent:mime-version:date:message-id:sender:from:to:cc:subject
         :date;
        bh=fHxRJ75NVu5X6GzUDUnZ8r0VzwHDqwTnInvU53fR6vM=;
        b=W81RvLRByDtmPS8OiuGEmCP5a/Fi8tEqdDLxSMBVJaFTHZfDbm+qD/V/XqKyuOzcls
         tGrFuClsTmicPfhNsTUZxNkwsitKKFAxSiIuUMe1jcb4FpPAQIgvPZc/v0zgU/U4QFJt
         HUnZ5jgP5wVnNudnuuSujU4/zPMUIl4V7eTG1I5gXIwUQpY7ZKQVDIW9nSQ8V3KsRRUu
         fL+OgiUy03kLH+4/rbeLVhomTyFWAuiox7JOtZVd4abpdO+AQs0VcW4cFnDbaxyc0BBV
         zlrsJqaczDfnsimq9YmnP6GPDhN8EdsSt+e3KC7U2dxmFauMYKq0d0Ies3cOw04KCH8K
         ylrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:subject:from:to:content-language:reply-to
         :user-agent:mime-version:date:message-id:sender:x-gm-message-state
         :from:to:cc:subject:date;
        bh=fHxRJ75NVu5X6GzUDUnZ8r0VzwHDqwTnInvU53fR6vM=;
        b=hrKChAkphkec161cZxo+oAMrHOvOl5bf6LIFYbanIDF4qibhJRRy8u/wy/6+RLyteh
         C1Hi7bkcxM2dR89yBmozf+e4jH0t47zge0bxvoL6DAhnOtaWZyNhUTmnq4PUCSzzsr6P
         J142bguq4YY5ZptlVIm6ZVF6ajeCU3Wngj9GJtrgjU1jtvQQqeuMx3KB3DJe619rZ6XF
         WhNK4qVRWB67VgxSzA+4Q8sL14k8WiQAMP9T2a1CDSAnpFlMCBx3qhImK0Y/D/kv8xfP
         4pA25pCZJ7aWRO4iowGNAVLs8TGys5fLdDm49Ddni+SkDLheS6U1Uhb3S9SQ2OXpoi5W
         lTIA==
X-Gm-Message-State: ACgBeo1UdJWy2DbrcZ2MK/VJBDwheuzIHXaRGFFharzLTGkbiSugnGtM
	4JYTWC5LiNNu6A5Q9WpzT4m5Hr64gKE=
X-Google-Smtp-Source: AA6agR7tDHzk2UrKMHLpdicP4lho8mfCFyzR6Jg3n/ni871BgCeVW14oraOQhu3lhJ9RJ5xqTJiz/w==
X-Received: by 2002:a17:90b:4c8d:b0:1f5:29ef:4a36 with SMTP id my13-20020a17090b4c8d00b001f529ef4a36mr1211157pjb.127.1662597083637;
        Wed, 07 Sep 2022 17:31:23 -0700 (PDT)
Received: from ?IPV6:2403:5807:1b:1:7da9:42f8:1c0:2175? (2403-5807-1b-1-7da9-42f8-1c0-2175.ip6.aussiebb.net. [2403:5807:1b:1:7da9:42f8:1c0:2175])
        by smtp.gmail.com with ESMTPSA id n13-20020a170903110d00b0015e8d4eb26esm13091182plh.184.2022.09.07.17.31.21
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 07 Sep 2022 17:31:23 -0700 (PDT)
Message-ID: <70ef8f8a-1a9e-a1f9-8c22-548eb8423a11@FreeBSD.org>
Date: Thu, 8 Sep 2022 10:31:20 +1000
List-Id: FreeBSD-specific Python issues <freebsd-python.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-python
List-Help: <mailto:python+help@freebsd.org>
List-Post: <mailto:python@freebsd.org>
List-Subscribe: <mailto:python+subscribe@freebsd.org>
List-Unsubscribe: <mailto:python+unsubscribe@freebsd.org>
Sender: owner-freebsd-python@freebsd.org
X-BeenThere: freebsd-python@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101
 Thunderbird/106.0a1
Reply-To: koobs@FreeBSD.org
Content-Language: en-US
To: Wen Heping <wen@FreeBSD.org>,
 FreeBSD Python Team <freebsd-python@FreeBSD.org>
From: Kubilay Kocak <koobs@FreeBSD.org>
Subject: lang/python*: Security and bug fix releases not marked or merged
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4MNKms6vRVz3qW7
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=W81RvLRB;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of koobs.freebsd@gmail.com designates 2607:f8b0:4864:20::636 as permitted sender) smtp.mailfrom=koobs.freebsd@gmail.com
X-Spamd-Result: default: False [-3.20 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	FORGED_SENDER(0.30)[koobs@FreeBSD.org,koobsfreebsd@gmail.com];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	HAS_REPLYTO(0.00)[koobs@FreeBSD.org];
	FROM_HAS_DN(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	FROM_NEQ_ENVFROM(0.00)[koobs@FreeBSD.org,koobsfreebsd@gmail.com];
	DMARC_NA(0.00)[freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	MID_RHS_MATCH_FROM(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::636:from];
	RCVD_COUNT_THREE(0.00)[3];
	TO_DN_ALL(0.00)[];
	REPLYTO_ADDR_EQ_FROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TAGGED_FROM(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	MLMMJ_DEST(0.00)[freebsd-python@freebsd.org]
X-ThisMailContainsUnwantedMimeParts: N

Hi Wen,

The latest round of lang/python* updates (3.9.14 still pending) don't 
appear to have been marked as security releases (in security/vuxml) or 
merged to the quarterly branch (for security and bugfixes).

lang/python310: Update to 3.10.7

https://cgit.freebsd.org/ports/commit/lang?id=1d9f19a0169e1cdbfedda11b75635fe89444a6c1
https://docs.python.org/release/3.10.7/whatsnew/changelog.html#python-3-10-7-final

lang/python37: Update to 3.7.14

https://cgit.freebsd.org/ports/commit/lang?id=7a50813b62ea926b18447a23cd75aa84b5569f22
https://www.python.org/downloads/release/python-3714/

lang/python38: Update to 3.8.14

https://cgit.freebsd.org/ports/commit/lang?id=fddd2fc682516649a9a180d65fbece9c3ff80af0
https://docs.python.org/release/3.8.14/whatsnew/changelog.html

lang/python39: Update to 3.9.14

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266286
https://docs.python.org/release/3.9.14/whatsnew/changelog.html

Everyone appreciates your time and effort keeping Python language ports 
up to date, but it's also important that we set a high standards of QA 
and completeness. It goes without saying that this is especially the 
case for security issues.

Additionally, the Python team has the luxury of having an upstream that 
has multiple long-lived minor version branches that only receive 
security and bug fixes (with an explicit no feature change policy).

This means that every release after a version x.0 is a bugfix and/or 
security update, should be merged (merge by default).

I'd like to ask (everyone), that all future Python language port updates 
at a minimum:

- Have issues created in Bugzilla

- Have at least one other Python team member review/accept before being 
committed, ideally more.

- For maintenance releases (any versions after a *.0), are marked for 
merging by default (merge-quarterly = ?), and merged before being 
considered resolved and closing in Bugzilla.

- For security updates: Have security/vuxml entry patches attached along 
side version update patches in Bugzilla

--
Regards,

Kubilay
^Python